There are many facets of contingency planning but the two main focal points are business continuity and disaster recovery. Sometimes these terms are used synonymously, however there is a clear distinction between the two. Business continuity planning focuses on your business functions and the processes that run your business, where as disaster recovery planning focuses on the technology that supports the business. Disaster recovery planning includes items such as data backups, critical applications, servers, infrastructure, and networks. Recovering your critical business functions would not be possible without the proper technology in place, and this requires disaster recovery planning.
- conduct a full Business Impact Analysis (BIA)
- ensure that critical data is backed up regularly and stored off site
- understand how quickly you need your data, and from what point the data should be recovered
- ensure critical systems and data are accessible from an alternate location
- document recovery procedures
Simply backing everything up and duplicating your entire current environment can be a method for ensuring you’ve protected everything however, it is a bit unrealistic and costly. In order to properly plan you must first understand what the vital components of your technology are. Through a BIA you can identify your critical systems; critical applications; and critical data. By conducting a full business impact analysis of each of your departments you will get a complete picture as to what your business truly needs to stay up and running. This is also essential to help you budget properly and identify where your recovery dollars must be prioritized.
Once critical data is identified, it is vital that it is backed up on a regular schedule (i.e. daily, every 15 minutes). The data must be stored off site and this can be done in various ways (ie. cloud backup, server replication to alternate data center). Backing up your data and keeping it in the same location as your current production data is useless.
From your business impact analysis you will also determine what your timing objectives are for each application. Meaning how quickly do you need your data and from what point should it be restored. A Recovery Time Objective (RTO) indicates how quickly you need access to your data (i.e. within 4 hours; within 24 hours). A Recovery Point Objective (RPO) indicates at what point your data should be recovered at (i.e. last nights backup; last 15 minutes). These are the requirements that will guide the build out of your recovery plan. These timings will indicate where your recovery priorities lie and will determine which applications should be recovered first and how quickly.
If you are unable to return to your main office due to a building disruption, you must ensure that you can continue work from an alternate location. At a minimum you should be able to access the technology that you’ve identified as your critical requirements. Working remotely from home needs to be a consideration, or working from an alternate recovery site. Accessing your technology and data from any alternate location must be tested regularly.
Ensure that detailed recovery procedures for each of your critical systems and applications are clearly documented, and tested regularly. No matter how much backup is in place, clear instructions must be available on how to recover them. You can not ensure that your regular staff will be available, therefore you need to ensure that detailed recovery procedures are available so that other staff members would be able to use the instructions to recover your critical systems.
Your information technology team is a vital part of your organization and your planning and recovery efforts. They must be included in all facets of your recovery planning. However, it should not be up to their discretion to identify and decide what should or should not be recovered, protected and planned for. Information technology will certainly be instrumental in ensuring what your business have identified is prioritized, backed up accordingly, documented, tested, and maintained. It is up to the business to decide what they really need to keep your business up and running.
Once all your recovery requirements are identified and your backups are in place, and once all your recovery procedures are documented and tested this does not mean that you are now done. Technology is an area that is constantly changing, evolving, improving, and therefore must always be maintained. Not annually, but daily tracking and documenting of changes that impact your recovery plans is essential. Utilize change control management on all of your critical systems, to ensure that any changes made in production to a critical function, system, or application are also included in your disaster recovery plans.
In an effort to reduce time and costs, occasionally a decision may be made to skip over certain departments and only include the high profile departments. In an effort to be frugal you may have inadvertently overlooked something essential. The lack of doing a full Business Impact Analysis on all departments could impact your planning and worse of all jeopardize your recovery. It’s usually better to ensure that all your bases have been covered, and leave no stones left unturned.
Budget is always a concern no matter what size or type of company you have. Minimizing your spending when it comes to your recovery efforts puts your organization at a greater risk. In the long run you may find that you have cost your company more money by not being properly prepared. Disaster recovery planning can be very costly because it includes technology, infrastructure, data storage. These are all essential to the recovery of your business. Once your critical requirements have been identified, proper budgeting needs to be included on an annual basis to ensure the plan is maintained.
Your business continuity planning will include procedures for all departments including your IT department. However, your IT plan is not the same as a disaster recovery plan. Those are the procedures for how to manage your IT department, and would only include systems and applications that your IT department uses. It will not include every critical system for your organization. A disaster recovery plan should include all critical technology for your entire organization and should be a plan unto itself.
Disaster recovery is a vital part of contingency planning for any organization. Identification of your critical requirements for each department will be the basis for your disaster recovery planning efforts. Documentation of recovery procedures, backing up data off site, and regular testing will ensure the validity of your plans. Your information technology department is the key to your disaster recovery plan, but they should not be the drivers. Maintaining your disaster recovery plan on a daily basis is critical to your organizations recovery.
More expert advice about Business Operations
Photo Credits: Yastremska/bigstock.com; Check Man, Cross Man and Jump Man © ioannis kounadeas - Fotolia.com